From 3d24de992db8a475159cb6cd80597bccb242bcf5 Mon Sep 17 00:00:00 2001
From: Alex <caskd@420blaze.it>
Date: Sat, 16 May 2020 23:41:11 +0200
Subject: [PATCH] Add restarts and stricter sandbox. Add influx

---
 templates/haproxy.service.j2  |  9 ++++++++-
 templates/influxdb.service.j2 | 26 ++++++++++++++++++++++++++
 2 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 templates/influxdb.service.j2

diff --git a/templates/haproxy.service.j2 b/templates/haproxy.service.j2
index 12563cc..0d57e7f 100644
--- a/templates/haproxy.service.j2
+++ b/templates/haproxy.service.j2
@@ -1,16 +1,23 @@
+[Unit]
+StartLimitIntervalSec=0
+
 [Service]
 User=nobody
 Group=nogroup
 
+Restart=always
+RestartSec=10
+
 Environment=
 Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy/haproxy.pid"
 
 ProtectHome=true
-ProtectSystem=true
+ProtectSystem=strict
 PrivateTmp=yes
 PrivateDevices=yes
 RuntimeDirectory=haproxy
 
+SecureBits=noroot
 NoNewPrivileges=true
 RestrictSUIDSGID=yes
 MemoryDenyWriteExecute=yes
diff --git a/templates/influxdb.service.j2 b/templates/influxdb.service.j2
new file mode 100644
index 0000000..07ea39b
--- /dev/null
+++ b/templates/influxdb.service.j2
@@ -0,0 +1,26 @@
+[Unit]
+StartLimitIntervalSec=0
+
+[Service]
+Restart=always
+RestartSec=10
+
+# TODO: Add mounts
+TemporaryFileSystem=/:ro
+BindReadOnlyPaths=/etc/influxdb /usr /lib /lib64
+
+SecureBits=noroot
+ProtectSystem=strict
+PrivateUsers=true
+NoNewPrivileges=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+MemoryDenyWriteExecute=yes
+LockPersonality=yes
+PrivateTmp=yes
+PrivateDevices=yes